Browsers give you three main client-side storage options. Picking the right one is about lifetime, scope, size, and who needs to read it.

localStorage

• Lifetime: persists until explicitly cleared (survives restarts).
• Scope: per-origin, shared across all tabs/windows of that origin.
• Size: ~5–10MB.
• API: synchronous, string-only — localStorage.setItem(k, JSON.stringify(v)).
• Use for: user preferences, theme, cached non-sensitive data, feature-flag overrides.

sessionStorage

• Lifetime: cleared when the tab closes (a page reload keeps it; a duplicated tab gets a fresh copy).
• Scope: per-origin per-tab — not shared between tabs.
• Use for: multi-step form state, scroll position, one-off flows you don't want leaking across tabs.

Cookies

• Lifetime: Expires/Max-Age, or session cookie if omitted.
• Size: ~4KB total per domain — tiny.
• Key difference: automatically attached to every HTTP request to the domain, so the server can read them. localStorage/sessionStorage are client-only.
• Security flags: HttpOnly (JS can't read it — defeats XSS token theft), Secure (HTTPS only), SameSite (CSRF protection).
• Use for: auth/session tokens, anything the server needs per-request.

Decision rule

• Server needs it per request → cookie (with HttpOnly + Secure + SameSite).
• Client-only, must survive restarts → localStorage.
• Client-only, scoped to one tab session → sessionStorage.
• Large, structured, or needs indexing/transactions → IndexedDB (async, much bigger).

Important caveats

• localStorage/sessionStorage are synchronous — large reads/writes block the main thread.
• All three are readable by JS unless the cookie is HttpOnly → never store secrets or unencrypted PII in localStorage; it's fully exposed to XSS.
• Storage is per-origin — https://app.com and https://api.app.com don't share it.
• Use the storage event to sync localStorage changes across tabs.